[c-nsp] CRYPTO-3-IKMP_QUERY_KEY : Querying key pair failed ?

Alex Moya alexmoya at bellsouth.net
Wed Feb 27 20:42:29 EST 2008 

This happens when the encryption is different.check the crypto  
parameters.

Sent from my iPhone

On Feb 27, 2008, at 2:39 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> Hi Matthew,
>
> I'm not sure about the logged message, but I've seen the
> "TP-self-signed" certificates when I enable "ip http secure-server"  
> and
> IOS generates a certificate for this. If you don't use the  
> certificates
> you can could just remove them and see if that helps.
>
> I couldn't figure out from your mail whether the VPN succeeds. Is that
> message the only thing it says from a debug? I'm not very familiar  
> with
> VTI, having only used IPSec/GRE, but does a "debug crypto isakmp"  
> gives
> you any meaningful information?
>
> Regards,
> Peter
>
>
> On Wed, 2008-02-27 at 08:44 -0800, matthew zeier wrote:
>> Trying to setup a VTI IPSEC VPN between a 3845 and an 1841.  The 3845
>> has a couple vpns already up and working, one of which is a VTI to  
>> a 2800.
>>
>> The log just spits out:
>>
>>
>> CRYPTO-3-IKMP_QUERY_KEY : Querying key pair failed.
>>
>> Cisco says -
>>
>> Explanation: A public key or private key query attempt that used a
>> subject name has failed.
>>
>> Recommended Action: Check the subject name in the certificate.
>>
>> I'm not sure what cert it's talking about or how to fix that.  The  
>> 1841
>> does have
>>
>> crypto pki trustpoint TP-self-signed-2501804736
>>  enrollment selfsigned
>>  subject-name cn=IOS-Self-Signed-Certificate-2501804736
>>  revocation-check none
>>  rsakeypair TP-self-signed-2501804736
>>
>> crypto pki certificate chain TP-self-signed-2501804736
>> ...
>>
>> Neither of those exist on any of my other routers and I'm not  
>> familiar
>> with them.
>>
>> Any clues?
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list